Professional Documents
Culture Documents
Russia/Ukraine Conflict
03/17/2022
2
Russo-Ukrainian War: A Timeline
3
Roots of the Conflict
4
The World Responds…
5
… As Does Hacktivist Group Anonymous
• On February 24, members of Anonymous announced on Twitter that they would be launching attacks
against the Russian government.
• The hacktivists defaced some local government websites in Russia and temporarily took down others,
including the website of Russian news outlet RT.
• The group claimed on February 25 that it would leak login credentials for the Russian Ministry of Defense
website.
6
…And the Conti RaaS Group
• On February 25, the Conti RaaS group announced it was supporting Russia and the Russian people.
• Conti is well known to hit organizations where IT outages can have life-threatening consequences, including
HPH organizations. The group is connected to more than 400 cyberattacks worldwide, approximately 300 of
which were against U.S.-based organizations. Demands can be as high as $25 million.
• Conti later walked back the statement after receiving criticism from members and the cybercriminal
community.
• A Ukrainian nationalist member of the RaaS group leaked internal chats, source code, and stolen data in
retaliation.
• “Greetings,” one tweet began. “Here is a friendly heads-up that the Conti gang has lost its s****.” The
message included a link that would allow anyone to download almost two years of private chats. “We
promise it is very interesting,” the tweet added.
7
Russian Attacks on Healthcare in Recent History: NotPetya
8
Russian Attacks on Healthcare in Recent History: FIN12
9
Russian Attacks on Healthcare in Recent History: Ryuk
• Ryuk is one of the first ransomware variants to include the ability to identify and encrypt network drives
and resources, as well as delete shadow copies on the endpoint.
o Attackers can disable Windows System Restore for users, making it impossible to recover from an
attack without external backups or rollback technology.
• Since 2018, the Ryuk ransomware attack has wreaked havoc on at least 235 hospitals and inpatient
psychiatric facilities, as well as dozens of other healthcare facilities.
o The result: suspended surgeries, delayed medical care, and the loss of millions of dollars (as of
June 2021).
• HC3’s previous coverage of Ryuk can be found at:
o Threat Brief 04/08/2021: Ryuk Variants
o Threat Brief 11/12/2020: Trickbot and Ryuk
o Threat Brief 01/30/2020: Ryuk Update
10
Russian Cyber Operations Against Ukraine
11
HermeticWiper
12
WhisperGate
• WhisperGate is a new form of disk-wiping malware that is believed to operate in three stages/parts:
o A bootloader that corrupts detected local disks
o A Discord-based downloader
o A file wiper
• WhisperGate has been observed attacking organizations in Ukraine shortly before the launch of the
Russian invasion on February 24, 2022.
• The WhisperGate bootloader complements its file-wiper counterpart. Both irrevocably corrupt the victim’s
data and attempt to disguise themselves as ransomware operations.
• More about HermeticWiper and WhisperGate can be found in the HC3 Sector Alert published on March 1,
2022, entitled The Russia-Ukraine Cyber Conflict and Potential Threats to the US Health Sector.
13
Potential Impact on US HPH
• Three concerns:
o That hospitals and health systems may be targeted directly by Russian-sponsored cyber actors.
o That hospitals and health systems may become incidental victims of Russian-deployed malware or
destructive ransomware.
o That a cyberattack could disrupt hospitals' services.
14
Best Practices and Mitigations
• Be prepared.
o Confirm reporting processes and minimize personnel gaps in IT/OT security coverage.
• Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations
plan so that critical functions and operations can be kept running if technology systems are disrupted or
need to be taken offline. Hospitals and health systems should implement 4- to 6-week business continuity
plans and well-practiced downtime procedures.
• Enhance your organization’s cyber posture.
o Follow best practices for identity and access management, protective controls and architecture, and
vulnerability and configuration management.
o Increase staff awareness of the greater risk for receiving malware-laden phishing emails.
o Check network and data backups and make sure that multiple copies exist – off-line, network
segmented, on-premises, and in the cloud, with at least one immutable copy.
• Geo-fencing for all inbound and outbound traffic originating from, and related to, Ukraine and its
surrounding region, as well as identifying all internal and third-party mission-critical clinical and operational
services and technology. SANS is offering tips on how to do this: Geoblocking When You Can’t Geoblock.
• Increase organizational vigilance. Stay current on reporting on this threat.
• Check out CISA’s Shields-Up for more information on guidance, mitigations, and reporting on malicious
activity that may be associated with the conflict.
15
Russian Tactics, Techniques, Procedures
• Russian state-sponsored advanced persistent threat (APT) actors have used common but effective
tactics—including spear phishing, brute force, and exploiting known vulnerabilities against accounts and
networks with weak security—to gain initial access to target networks.
• Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:
o CVE-2018-13379 FortiGate VPNs
o CVE-2019-1653 Cisco router
o CVE-2019-2725 Oracle WebLogic Server
o CVE-2019-7609 Kibana
o CVE-2019-9670 Zimbra software
o CVE-2019-10149 Exim Simple Mail Transfer Protocol
o CVE-2019-11510 Pulse Secure
o CVE-2019-19781 Citrix
o CVE-2020-0688 Microsoft Exchange
o CVE-2020-4006 VMWare (note: this was a zero-day at time.)
o CVE-2020-5902 F5 Big-IP
o CVE-2020-14882 Oracle WebLogic
o CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in
conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
16
Reference Materials
References
• Barr, Luke and Mallin, Alexander. “DOJ official warns companies 'foolish' not to shore up cybersecurity amid
Russia tensions,” 17 February 2022. ABC News. https://abcnews.go.com/Politics/doj-official-warns-
companies-foolish-shore-cybersecurity-amid/story?id=82959520.
• Constantin, Lucian. “Conti gang says it's ready to hit critical infrastructure in support of Russian
government,”CSOOnline 25 February 2022. https://www.csoonline.com/article/3651498/conti-gang-says-its-
ready-to-hit-critical-infrastructure-in-support-of-russian-government.html.
• Duell, Mark. “Russia sanctioned by the world: How world leaders putting the financial thumbscrews on Putin
have done nothing to halt his forces rampaging across Ukraine... as India and China refuse to stop trading,”
DailyMail. 25 February 2022. https://www.dailymail.co.uk/news/article-10550811/How-Russia-sanctioned-
world-Ukraine-invasion.html.
• “Conflict in Ukraine,” Council on Foreign Relations. 8 March 2022. https://www.cfr.org/global-conflict-
tracker/conflict/conflict-ukraine.
• Greig, Jonathan. “Anonymous hacktivists, ransomware groups get involved in Ukraine-Russia Conflict,”
ZDNet. 25 February 2022. https://www.zdnet.com/article/anonymous-hacktivists-ransomware-groups-get-
involved-in-ukraine-russia-conflict/.
• Gwengoat. “Ukraine vs Russia stock photo,” iStock. 25 June 2019.
https://www.istockphoto.com/photo/ukraine-vs-russia-gm1158059333-316205199.
• Henderson, Jennifer. “Watch Out for Cyberattacks Following Russia's Invasion of Ukraine,” MedPage
Today. 25 February 2022.https://www.medpagetoday.com/special-
reports/exclusives/97385#:~:text=Since%202018%2C%20the%20Ryuk%20ransomware,Street%20Journal
%20reported%20last%20June.
18
References
19
References
20
? Questions
Questions
Disclaimer
Product Evaluations
These recommendations are advisory and are
Recipients of this and other Healthcare Sector not to be considered as Federal directives or
Cybersecurity Coordination Center (HC3) Threat standards. Representatives should review and
Intelligence products are highly encouraged to provide apply the guidance based on their own
feedback. If you wish to provide feedback, please requirements and discretion. HHS does not
complete the HC3 Customer Feedback Survey. endorse any specific person, entity, product,
service, or enterprise.
22
About Us
HC3 works with private and public sector partners to improve cybersecurity
throughout the Healthcare and Public Health (HPH) Sector
Products
Sector & Victim Notifications White Papers Threat Briefings & Webinar
Direct communications to victims or Document that provides in-depth Briefing presentations that provide
potential victims of compromises, information on a cybersecurity topic to actionable information on health sector
vulnerable equipment or PII/PHI theft, increase comprehensive situational cybersecurity threats and mitigations.
as well as general notifications to the awareness and provide risk Analysts present current cybersecurity
HPH about current impacting threats recommendations to a wide audience. topics, engage in discussions with
via the HHS OIG. participants on current threats, and
highlight best practices and mitigation
tactics.
Need information on a specific cybersecurity topic, or want to join our Listserv? Send your request for information (RFI) to
HC3@HHS.GOV,or visit us at www.HHS.Gov/HC3.
23
Contact
www.HHS.GOV/HC3 HC3@HHS.GOV